Worried About Message, Colleges Scrutinize Social Media

One thing that struck auditors of university-related social media at Northern Illinois U. was how much was out there. More than 150 Facebook, YouTube, and other accounts, like the Flickr page above, were found.

By Jennifer Howard

Lynne M. Thomas, curator of rare books and special collections at Northern Illinois University Libraries, used to maintain two work-related Facebook pages and a blog. This past summer, she put them on hiatus—and took to social media to explain why.

"Our institution has launched new reporting requirements for all NIU social-media accounts that are, to put it mildly, onerous to the point of ludicrous," Ms. Thomas wrote on her personal blog. "They want us to count all interactions. And document whether they are positive, negative, or neutral. They want screen shots to document all of our counting and downloaded analytics. Every. Month."

As colleges take a greater interest in what employees do online as part of their work, Ms. Thomas is likely to find she's not alone in feeling burdened by increased scrutiny. How to handle social media has become a popular topic at conferences for administrators, and other institutions are likely to follow Northern Illinois's example, if they haven't already. "We're not the only university that's going through these social-media audits," said Kathryn A. Buettner, the university's vice president for university relations. If others aren't going through the same thing, "they will be soon."

So far, there have been no reports that other social-media administrators at Northern Illinois have taken a turn-out-the-lights approach, but the reporting requirement kicked in only this month.

Still, the prospect of all that red tape was too much for Ms. Thomas, at least temporarily. In a subsequent blog post, she said she is considering her options as the library reworks its social-media strategy. For now, though, "my departmental social-media stuff is no longer active, although I retain my personal accounts, noting that my opinions are my own, per university policy." she said via e-mail.

Just a Few Clicks

When any member of a department or program can with a few clicks create an online presence, how many semi-institutional Facebook pages, blogs, Twitter streams, and YouTube channels are springing up? How watchful an eye should a college keep on them? As their institutions test the possibilities of social-media sites, university administrators—among them public-relations and communications staff members and risk managers—are trying to figure out how to balance the rewards and risks of social engagement.

Many colleges and universities, including Northern Illinois, already have guidelines for online behavior. Within legal limits, what professors, staff members, and students say on their personal Web sites or Twitter feeds is their own business, as long as they make it clear that they're not speaking for the institution.

University-affiliated accounts—for instance, a department's Web site or library's Facebook page­­—are a different animal. They can broadcast a university's strengths, be used in teaching and research, attract prospective students and faculty and staff members, and cultivate relationships with alumni. But encountering a negative comment thread, or getting no response at all to questions or input, could turn off a student or donor. In the most dismal scenarios, online harassment or unreported threats could lead to legal complaints or campus violence.

Northern Illinois's investigation of social-media use wasn't triggered by any particular problem, according to Danielle L. Schultz, director of internal audit there. The issue came up last year in her annual across-the-board review of possible vulnerabilities at the university, she said. "It really fell under the category of 'What's happening, what's emerging as a potential risk for the university's operations?'"

From Ms. Schultz's perspective, "reputational risk"—any threat to the university's reputation—"is probably the biggest risk." Potential violations of state or federal laws and regulations concern her. "We want to make sure there's sufficient oversight to handle and address anything that comes up," the auditor said.

"An even greater risk might be to ignore social media—not review it, just let it go on, let everyone go out there and set up Facebook and Twitter and YouTube accounts," Ms. Schultz added. "If we're not engaged in a strategic way, that's a risk to the university in meeting our strategic goals."

170 Accounts

One striking finding from Northern Illinois's examination of social-media accounts was how little the university actually knew about them. Ms. Schultz's office identified about 170 Facebook pages, Twitter feeds, and YouTube channels that qualified as university-related. About 70 percent weren't listed in the university's existing social-media database. Even for accounts that were listed, the database didn't include records of who administered them.

After the audit, Ms. Schulz's office made several recommendations: Maintain the social-media database better; make sure that departments and divisions are aware of the university's social-media policy and the need "to be engaged in listening to their own content"; and ask account administrators to collect monthly "engagement metrics" as part of monitoring what happens on university-related channels.

A detailed online tutorial explains how to collect analytics for Facebook, Twitter, YouTube, Linked­In, and blogs. A final section discusses how to monitor online interactions. "Each time a post or comment on any social-media platform requires a response, the sentiment of that comment should be logged," the tutorial advises. "Report the total number of posts requiring a response on Facebook, Twitter, all other social-media platforms and how many total posts were positive, negative, and neutral."

It's not clear yet how much of a hassle the monthly reports will turn out to be. Patrick J. Dawson is dean of Northern Illinois University Libraries, where Ms. Thomas works. He said that he's not concerned that collecting metrics will be an undue burden on his staff, and that he's asked the library's information-technology specialist to handle the monthly reporting. When the audit findings and recommendations were presented to the council of deans, nobody raised objections, according to Mr. Dawson.

Holly A. Nicholson, the university's social-media manager, said the idea isn't to burden people but to help them gauge how well their social-media presence works. "I want people to understand that this is going to help them, not hurt them," she said. "When you understand what engagement your posts are bringing in, this informs your strategy."

'A Routinized Mechanism'

Ms. Buettner, the vice president for university relations, said that part of the point is to make sure someone's looking at each social-media account on a regular basis. "I don't think it's overly burdensome" compared to the potential risks the university faces, she said. After three months, the university will take stock of how well the data-collection process is working, she said.

"Nobody loves to sit and write analytics reports," Ms. Buettner said. "We'd rather be on social media and not have any worries about it. But social media has evolved into a routinized mechanism of communication, and with that there are expectations and rules if you're going to use the university's name."

Northern Illinois University has company in feeling the need to take a closer look at social-media activity connected with it, according to Phillip W. Hurd, president of the Association of College and University Auditors. While he's also chief audit executive at the Georgia Institute of Technology, he says that on this issue he's speaking as the association's president.

"For the last two or three years, we have ramped up the focus on social media in all of its aspects—both the risks and rewards," he said.

Firm numbers are hard to come by, but the auditors' association has seen "a very large curve in the number of folks who are actually conducting some type of social-media audit," Mr. Hurd said. Lately the group has had requests from "dozens of institutions" for more information on how to conduct such audits, he said, and panels and talks on the topic have become some of the best-attended sessions at the association's annual conference.

Auditing social media "has become a very, very valuable resource in terms of understanding who is using or misusing resources," Mr. Hurd said. That mirrors a shift in the larger corporate world, according to Mike Jacka, a consultant and former internal auditor who is the author, with Peter R. Scott, of Auditing Social Media: A Governance and Risk Guide (Wiley, 2011).

Monitoring online conversations is essential for institutions now "because you don't know what's going to happen," Mr. Jacka said. "People used to gossip across the fence. Now they gossip across the world."

Collecting metrics, though, can have "hidden costs" for an organization—such as Ms. Thomas's decision to suspend her accounts. "If you're going to get involved with metrics, what the heck are you trying to measure?" Mr. Jacka said. "How do you tie your social-media metrics into the objective of the organization?"

His advice to university auditors and administrators is to tackle the issue now and develop consistent strategies on how to handle social media. "The big thing I'd say for internal audit is, Do not put it off," Mr. Jacka said. "To get in there right away and not be afraid of it, because it isn't that scary."

Don't Wait for Trouble

Steven J. McDonald, general counsel at the Rhode Island School of Design, advises colleges to be clear with faculty and staff members about how to handle what he calls "institutional voices" online. Instead of "waiting to catch people," he said, "I would spend some time explaining" what the guidelines are.

"It would be very useful for institutions to spend time talking to the people who are doing this," he said. Acting out of fear "is not usually a good way to make long-lasting policy."

Enhanced oversight, he noted, could have unintended negative consequences beyond irritating account managers. "If you do monitor and you fail to catch something, you may have doubled down on your liability," he said.

Mr. McDonald pointed out that the need to balance engagement and freedom of expression with institutional responsibility and risk isn't new. "Every time we have a new one of these tools, people tend to think that it's unregulated and it's kind of the Wild West," he said. "But that's not the case. We've had standards that apply across the board for years and decades and centuries, and the medium doesn't really matter."

For instance, libel is libel, whether it's in a department's Xeroxed newsletter or on its Web site. "It's the behavior that's regulated, not the medium," Mr. McDonald said. "The problem is it's much easier to notice on the Internet."